In spite of a seemingly never-ending stream of high profile data breaches and hacks, a worrying number of organizations still feel that updating and optimizing privacy practices is a backburner item. A new study from data privacy compliance platform Osano provides some very sharp and eye-popping numbers to the contrary; sloppy privacy practices can be tied directly to an 80% increase in the likelihood of being breached.
“We’re seeing this premise play out in events happening today,” according to Arlo Gilbert, CEO and co-founder of Osano. “Last Wednesday, Twitter suffered a breach that exposed 130 accounts, and perpetrators downloaded personal data from eight accounts, which could now trigger CCPA regulations. Twitter has a Very Poor Osano Privacy Score, so the breach shouldn’t be surprising. We saw a similar example with Capital One. In July 2019, the company suffered a breach that exposed 100 million of its customers, and incurred $150 million in fines. Before the breach, their Privacy Score was poor and in the aftermath of the breach, after the company cleaned up its security and privacy policies, their privacy score went up. Twitter and CapitalOne are a perfect case studies to underscore how privacy is a predictive indicator of impact in a data breach.”
The link between privacy practices and data breaches
The Osano study incorporated the 11,000 most-visited websites, and evaluated them on a detailed new ratings scale that is based on the terms in their privacy policies. About 2.77% of these sites, or roughly 305, experienced data breaches at some point in the previous 15 years.
Poor privacy practices nearly double a company’s odds of landing in that not-so-illustrious group.
What leads to this sharp increase in the odds? Osano identifies three primary areas of concern that cut across all industries: how data is shared with vendors, how companies respond once notified of data breaches, and the level of preparation for attacks by hackers. Additionally, companies in the financial industry have a specific elevated risk of data breaches due to inside jobs. And government and educational institutions with top-level “.gov” and “.edu” domains are almost 27% more likely to experience data breaches than other types of organizations.
So what constitutes “poor privacy practices” in this context? The study evaluated websites according to 163 different factors, assigning each a final overall score in the range of 300 to 850 (similar to the range used for United States credit scores). Factors included policies about selling data to (or sharing it with) third parties, use of data for targeted advertising, end user privacy policies that can be easily found and understood by the average person, and whether data on children under the age of 13 was collected among other factors. The study led to the creation of PrivacyMonitor.com, a site maintained by Osano that will display the privacy score of any website that has been evaluated by the platform.
The study demonstrates that this privacy score directly correlates with the likelihood of data breaches. Some elements of this are obvious; for example, the more sources that an organization shares user data with, the more possible points of compromise there are. Some are known points of concern, but perhaps have been underestimated. For example, the study found that every two out of three data breaches was caused by a third-party vendor and that the average company now shares data with about 750 of these vendors.
To put it in more concrete numbers, the study indicates that 1.86% of all websites with strong privacy practices can expect to weather data breaches at some point. 3.36% of those with poor privacy practices can expect to be breached.
The study also…
New Virginia Consumer Privacy Law Adds Data Rights, Creates New Requirements for Data Controllers
Virginia is the latest state to adopt a consumer privacy law, with the Virginia Consumer D…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
